On Wed, May 06, 2020 at 04:20:59PM +0800, Yang Weijiang wrote: > Control-flow Enforcement Technology (CET) provides protection against > Return/Jump-Oriented Programming (ROP/JOP) attack. There're two CET > sub-features: Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT). > SHSTK is to prevent ROP programming and IBT is to prevent JOP programming. > > Several parts in KVM have been updated to provide VM CET support, including: > CPUID/XSAVES config, MSR pass-through, user space MSR access interface, > vmentry/vmexit config, nested VM etc. These patches have dependency on CET > kernel patches for xsaves support and CET definitions, e.g., MSR and related > feature flags. > > CET kernel patches are here: > https://lkml.kernel.org/r/[email protected] > > v12: > - Fixed a few issues per Sean and Paolo's review feeback. > - Refactored patches to make them properly arranged. > - Removed unnecessary hard-coded CET states for host/guest. > - Added compile-time assertions for vmcs_field_to_offset_table to detect > mismatch of the field type and field encoding number. > - Added a custom MSR MSR_KVM_GUEST_SSP for guest active SSP save/restore. > - Rebased patches to 5.7-rc3. > ping...
Sean and Paolo, Could you review v12 at your convenience? Thank you!
